BrowExt - XSS Example
Last updated
Last updated
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
In this setup, a content script is implemented to instantiate an Iframe, incorporating a URL with query parameters as the source of the Iframe:
A publicly accessible HTML page, message.html
, is designed to dynamically add content to the document body based on the parameters in the URL:
A malicious script is executed on an adversary's page, modifying the content
parameter of the Iframe's source to introduce a XSS payload. This is achieved by updating the Iframe's source to include a harmful script:
An overly permissive Content Security Policy such as:
allows the execution of JavaScript, making the system vulnerable to XSS attacks.
An alternative approach to provoke the XSS involves creating an Iframe element and setting its source to include the harmful script as the content
parameter:
The core issue arises from a DOM-based Cross-site Scripting (XSS) vulnerability located in /html/bookmarks.html
. The problematic JavaScript, part of bookmarks.js
, is detailed below:
This snippet fetches the value from the txtName
input field and uses string concatenation to generate HTML, which is then appended to the DOM using jQuery’s .append()
function.
While this vulnerability is significant, its exploitation is usually contingent on user interaction: visiting the page, entering an XSS payload, and activating the “Add” button.
To enhance this vulnerability, a secondary clickjacking vulnerability is exploited. The Chrome extension's manifest showcases an extensive web_accessible_resources
policy:
Notably, the /html/bookmarks.html
page is prone to framing, thus vulnerable to clickjacking. This vulnerability is leveraged to frame the page within an attacker’s site, overlaying it with DOM elements to redesign the interface deceptively. This manipulation leads victims to interact with the underlying extension unintentionally.
This example was taken from the .
Typically, the Chrome extension's Content Security Policy (CSP) would prevent such vulnerabilities. However, due to CSP relaxation with ‘unsafe-eval’ and the use of jQuery’s DOM manipulation methods (which employ to pass scripts to upon DOM insertion), exploitation is still possible.
Learn & practice AWS Hacking: Learn & practice GCP Hacking:
Check the !
Join the 💬 or the or follow us on Twitter 🐦 .
Share hacking tricks by submitting PRs to the and github repos.